CELAR
CONFIDENTIAL SMART-CONTRACT LAYER 1

Privacy is the protocol.

An EVM-equivalent Layer 1 where balances, amounts, and contract state live under protocol-level threshold FHE — confidential by construction, verifiable by anyone, with a ZK shielded pool for trustless privacy.

CELAR MAINNET — ENCRYPTED MEMPOOLLIVE
OUTCOME ⟦ENCRYPTED⟧GAS TIER UNIFORMMEV NONE
SCROLL
01/ PRIVACY STACK

Three tiers of confidentiality. One chain.

Privacy on Celar is not an add-on contract — it is the protocol's data plane. Every tier is specified against explicit adversary classes, with a published leakage matrix instead of adjectives.

TIER_01 / FHE STATE

Encrypted smart-contract state

Amounts, balances, and contract values are TFHE ciphertexts evaluated on-chain via programmable bootstrapping. ConfidentialERC20 out of the box.

  • Branchless transfers — failure indistinguishable from success
  • On-chain ACLs: no decryption without owner or contract grant
  • Supply remains publicly auditable at all times
TIER_02 / STEALTH LAYER

Unlinkable recipients & relayers

Dual-key stealth addresses (ERC-5564 pattern) give every payment a fresh one-time address; bonded relayers obfuscate senders.

  • DDH-based unlinkability across payments
  • One-byte view tags for fast wallet scanning
  • Rogue-key registration griefing closed with dual Schnorr PoKs
TIER_03 / ZK SHIELDED POOL

Trustless against unbounded collusion

A Groth16 shielded pool over BLS12-381: sender, recipient, and amount privacy that survives even a fully colluding validator set.

  • 192-byte proofs, ~3-pairing verification
  • Fixed 2-in/2-out circuit; dummy inputs indistinguishable
  • Committee-independent and recovery-free by construction
02/ BUILD

Fully EVM-equivalent. Zero new opcodes.

Standard EVM semantics, Solidity toolchain, address model, and JSON-RPC. Confidential features enter only through precompiles — existing contracts, wallets, and tooling work unmodified.

  • /01Encrypted types in Solidityeuint8…euint64 and ebool via a TFHE.sol standard library; handles in storage, ciphertexts in the FHE data plane.
  • /02Branchless rule, tool-enforcedNo revert may depend on encrypted data — enforced at compile time and re-checked by bytecode analysis at deployment. Violating contracts are rejected.
  • /03Backend-agnostic precompile ABISwapping the FHE backend is a node-level change, invisible to deployed contracts.
  • /04No gas fingerprintingFHE operations meter a separate fee dimension in flat per-class tiers — realized gas never leaks encrypted control flow.
CONFIDENTIALVAULT.SOL● COMPILES → PRECOMPILES
import {TFHE, euint64, ebool} from "celar/TFHE.sol";

contract ConfidentialVault {
  mapping(address => euint64) private bal;

  function transfer(address to, euint64 amt) external {
    ebool ok = TFHE.and(
      TFHE.le(amt, bal[msg.sender]),   // funds check
      TFHE.le(amt, TFHE.sub(MAX, bal[to])) // overflow guard
    );
    euint64 m = TFHE.select(ok, amt, ZERO);
    bal[msg.sender] = TFHE.sub(bal[msg.sender], m);
    bal[to]         = TFHE.add(bal[to], m);
    // no revert, no branch, no leakage —
    // outcome visible only to the owner via re-encryption
  }
}
03/ BRANCHLESS

A transfer that never tells.

Every confidential transfer is consensus-valid whether or not it succeeds. Uniform gas tier, no revert, no event difference — an external observer learns nothing from the outcome.

STEP_01
ok₁ = ⟦a⟧ ≤ ⟦balₛ⟧

Encrypted comparison: does the sender have the funds? The answer stays encrypted.

STEP_02
ok₂ = overflow guard

A second encrypted check protects the recipient balance; ok = ok₁ ∧ ok₂.

STEP_03
m = select(ok, ⟦a⟧, ⟦0⟧)

The moved amount is the value — or an encrypted zero. No branch ever executes.

STEP_04
balₛ −= m; balᵣ += m

Balances update identically in both worlds. Only the sender learns the outcome, via self re-encryption.

Fair ordering, no MEV market. Block ordering is deterministic from threshold-derived, tx-set-bound VRF randomness — no continuous priority auction, content-blind inclusion, and (v2) a threshold-encrypted mempool where ordering-by-content becomes impossible rather than forbidden.
04/ THRESHOLD KMS

No single party ever holds the key.

The TFHE secret key exists only as shares across a 100-seat committee. Decryption and re-encryption require a 79-seat quorum, every action is attributable and slashable, and the capture bound is constitutional — governance cannot weaken it.

◆ Genesis

Publicly verifiable DKG

A robust distributed key generation with published transcripts and on-chain complaint resolution produces linear shares — plus the CRS for input proofs. Misbehaving parties are excluded before genesis.

KEY VECTOR NEVER RECONSTRUCTED — ANYWHERE, EVER
◆ Decryption

Noise-flooded threshold decryption

Authorized reveals combine t partial decryptions, each flooded with calibrated noise so repeated decryptions stay safe under adversarially influenced ciphertexts (IND-CPA-D), with per-epoch query budgets.

σ_flood ≥ 2^λstat · B_eval · BUDGET Q_max
◆ Epochs

Proactive resharing

Shares refresh every epoch; old shares become useless. An adversary must corrupt ≥ 79 seats within a single epoch. Committee seats rotate on staggered 25-epoch terms via a domain-separated VRF beacon.

EFFECTIVE CAPTURE ≈ 0.60 OF ELIGIBLE STAKE / 10 Y
◆ Accountability

Attributable slashing & recovery

Every partial decryption is a signed, self-contained fraud proof — unauthorized service is severely slashed. Disaster recovery is a sealed resharing-only quorum behind an on-chain, timelocked activation predicate: public by construction, never covert.

NO COVERT DECRYPTION PATH — G6
05/ LEAKAGE

What each tier actually hides.

Most privacy chains market adjectives. Celar publishes a consolidated leakage matrix against named adversary classes — including its declared v1 non-goals.

Data itemPublic tierFHE tier (v1)ZK pool (v2)
AmountVisibleHidden*Hidden
Balances / stateVisibleHidden*N/A — notes
Sender identityVisibleRelayer-obfuscatedHidden
Recipient identityVisibleOne-time stealth addrHidden
Transfer success / failureVisibleHidden — branchlessContents hidden
Contract call targetVisibleVisible — v1.x roadmapN/A — pool precompile
* Hidden unless the FHE-tier trust assumption fails (coalition ≥ 79 committee seats). ZK-pool entries hold against unbounded collusion. Full matrix with adversary classes 𝒜₁–𝒜₅: whitepaper, Appendix B.
06/ TOKEN

Security priced in closed form.

Issuance, staking, and the privacy guarantee are bound together by a published health rule: the cost of corrupting a decryption quorum must stay at least 2× the value shielded on-chain — recomputed continuously, constitutionally enforced.

1B
Genesis supply
10⁹ tokens, 9 decimals. Supply publicly auditable per block (G5).
~11.7%
Year-1 nominal APR
≈ 4.7% real + fee income at the σ* = 0.60 staking target; real yield is the headline figure.
1.5%
Issuance floor
i(y) = max(1.5%, 7% · 0.8ʸ). Governance may lower the floor, never raise it.
ℋ ≥ 2
Health rule
Corruption cost ≥ 2× shielded value at risk — the security–economic binding constraint.

Genesis allocation

TGE FLOAT ≈ 9% · INSIDER ALLOCATIONS VEST IN TRANSPARENT BALANCES · BURNSHARE ≥ 0.5 · 21-DAY UNBONDING
Community / ecosystem 37%
Investors 20%
Team 18%
Foundation 15%
Liquidity / public 6%
Genesis validator program 4%
07/ GUARANTEES

Six guarantees. Stated, not implied.

G1

Ledger integrity

BFT safety under f < n/3 with instant finality; the supply invariant is machine-checked every block.

G2

FHE-tier confidentiality

Amounts, balances, and contract state stay hidden against any coalition below the 79-seat quorum.

G3

Recipient unlinkability

Stealth addresses and relayer indirection reduce the observer's view to relayer, one-time address, tier, and time.

G4

Pool privacy vs. unbounded collusion

Shielded-pool anonymity holds even if every validator colludes — cryptography, not committee trust.

G5

Supply auditability

Total supply is publicly verifiable at all times: encrypted state can never mint or hide inflation.

G6

No covert decryption path

Every decryption requires owner or contract authorization; violations are attributable and slashable, and the only recovery path is public-by-construction.

Go confidential.

Read the full technical specification.